That's how those SDKs work. They require an API key in the client. Which are trivial to extract for most apps. Some attempt to obfuscate with native libs, custom protocols, attestations, etc. But most juicy targets end up leaking.
-
-
-
Yeah but have the decency of not putting them in the res folder!
-
Meh, it's a broken model from the start.
-
(Disclosure: Firebase PM) Storing resource identifiers client side is not a broken model: consider an app that stores a URL to their API (which is what we see here with `firebase_database_url`). It's necessary for the app to work, and not intended to be secret.
-
API keys may or may not be secret, depending on what the authN/Z model of the backend systems are. Generally speaking, API keys should be used to identify a client (so as to apply quota/rate limits, billing), not to authenticate/authorize an application.
-
For services that do treat API keys as shared secrets; obviously, storing them client side is a bad idea. Some Google APIs do allow API key only access, but we've strongly discouraged use (https://cloud.google.com/docs/authentication/#api_keys …).
-
That's also not to say there aren't attack vectors here. Someone can abuse your API (consume quota, economic DoS), or clone your app. But that's not what happened here.
-
Regardless of the backend you use (built by you, your best friend, or your favorite cloud provider), you need to implement reasonable server side security in order to prevent issues that malicious clients may cause.
- 7 more replies
New conversation -
-
-
But on the other hand, the app developers are a good reflection of the base. Both are dumb.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
thanks
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Ok so, where should it be kept ?
- 1 more reply
New conversation -
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
The least you could have done is to not share them over here too
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.